A common problem with SAP applications is that they save free text with each line in a database column; this presents some extra formatting hassle if you want to save free text from many different sources. For this purpose I have created a small application that takes some seemingly garbled text and formats it into a readable SAP friendly format.

The text must obey a few simple rules. Bulleted paragraphs may not contain any empty lines, valid bullets are sequential numbers or letters or •

SAP, started in 1972 by five former IBM employees in Mannheim, Germany, states that it is the world's largest inter-enterprise software company and the world's fourth-largest independent software supplier, overall.

1. The original name for SAP was German: Systeme, Anwendungen, Produkte, 2. German for "Systems Applications and Products." The original SAP 3. idea was to provide customers with the ability to interact with a common corporate database for a comprehensive range of applications. a.Gradually, the applications have been assembled and today many corporations, b.including IBM and Microsoft, are using SAP products to run their own businesses.• SAP applications, built around their latest R/3 system, provide the capability to manage financial, asset, and cost accounting, • production operations and materials, personnel, plants, and archived documents. The R/3 system runs on a number of platforms including Windows 2000 and uses the client/server model. The latest version of R/3 includes a comprehensive Internet-enabled package.c. SAP has recently recast its product offerings under a comprehensived. Web interface, called mySAP.com, and added new e-business applications, including customer relationship management (CRM) and supply chain management (SCM).4. As of January 2007, SAP, a publicly traded company, had over 38,4000 employees in over 50 countries, 5. and more than 36,200 customers around the world. SAP is turning its attention to small- and-medium sized businesses (SMB).

IntroductionSystem RequirementsDate and Time configurationDNS configurationCreating a unique service account in Active DirectoryCreate a Single Sign On group in Active DirectoryGenerate a Keytab file on the Windows 2008R2 machineConfiguring the Negotiate Identity Assertion ProviderConfiguring an Active Directory Authentication ProviderCreate a Kerberos Configuration fileCreating a JAAS Login FileStartup Arguments for Kerberos Authentication with WebLogic ServerCreating the Kerberos Ticket for WebLogicSetup Internet Explorer (and others) on the Windows 7 clientEnabling DES support for legacy applicationsDebuggingReferences

This article is an step by step guide to configure Single Sign On (SSO) in mixed OS environments, before we get started let me just say that Kerberos/SPNEGO is one of those things that when it works it's awesome, and when it doesn't it's incredibly frustrating to debug. Add to the mix the fact that so much of what's happening is automatic and so few people actually understand what's really happening, and you have a recipe for pain and frustration. So if you during this process feel like pulling out what is left of your hair, please do it, you are fully entitled to do so.

How does this work? Here is a brief overview:

The Browser sends a GET request to your web application (1), which then returns that "negotiate" authentication is required (2). The Browser will then ask the Kerberos Server to get a so called service ticket (3). The Browser then sends this service ticket, which proves the identity of the caller, and some additional things to the web application (5). After validating the ticket, based on a shared secret (the keytab file) between your web application and the Kerberos server, you get back the username.

Note: Everything in Kerberos is a Principal - machines, services and even users. A Principal is identified by a simple string called a Service Principal Name or SPN in one of two forms - either PROTOCOL/hostname for services (e.g. HTTP/www.matas.dk for a web server) or username@DOMAIN for users (e.g. fodsved@MATAS.DK). The case of the string is important; the Protocol and domain name are always in CAPITAL LETTERS and the hostname and username are always in lower case.

System requirements

For today’s exercise we will use a Windows 2008 R2 for the Active Directory, and Oracle Linux for the Weblogic server, the clients will be using Windows 7 for Internet Explorer.

Active Directory

Windows 2008R2

Domain: MATAS.LOCAL

Domain Controller: FREJA

Host name: freja

IP address: 192.168.56.121

DNS server: 192.168.56.121

WebLogic Server 10.3.4.0

Oracle Enterprise Linux 5

JDK 1.6.2.

Oracle host name: localhost.oracle

DNS search path: oracle

IP address: 192.168.56.101

DNS server: 192.168.56.121

Internet Explorer 8 and later, or a .NET Web Service client

Windows 7

Windows XP

IP address: 192.168.56.99

DNS server: 192.168.56.121

Date and Time configuration

Have all machines synchronized in the same time zone, time and date.

DNS configuration

Put the following A records in your DNS server

_kerberos-master._udp.matas.local A 192.168.56.121 _kerberos-master._tcp.matas.local A 192.168.56.121

The above entries are automatically added in networks where the AD server is configured to update DNS, in any case you should check for their presence.

Note:If you have installed IIS on the machine, then uninstall it. IIS registers the Kerberos service principal HTTP/machine and HTTP/machine.domain.com and if you leave IIS installed you'll never manage to get Kerberos on WebLogic working correctly.

Once you have created that user, use the setspn utility to associate the HTTP/machine and HTTP/machine.domain.com principals with the user.

setspn -a HTTP/wlserver wlsusersetspn -a HTTP/wlserver.oracle wlsuser

Create a Single Sign On group in Active Directory

Create a Group in Active Directory called WebLogicADusers and add all Active Directory users that should have Single Sign On access to the Weblogic server, the group is referenced in the weblogic.xml configuration file of your web application or service.

Note:Do not use space in group names, it will not work at all with WebLogic SSO

Generate a Keytab file on the Windows 2008R2 machine

The ktpass command configures the server principal name for the host or service in Active Directory and generates an MIT-style Kerberos keytab file containing the shared secret key of the service. The command allows UNIX-based services that support Kerberos authentication to use the interoperability features provided by the Windows Server Kerberos KDC service.

Note: The ktpass command changes the principal name in the Active Directory server from account-name to HTTP/account-name. Consequently, the keytab file is generated for a principal named HTTP/account-name. However, sometimes the name change does not happen. If not, you should change it manually in the Active Directory server; otherwise the keytab you generate will not work properly.

Now copy the generated krb5.keytab file to the WebLogic machine. I put it in the folder /etc

And create a new authentication provider and select NegotiateIdentityAsserter from the drop down list and name it KerberosIdentityAsserter. Go into the Identity Asserter's configuration and click on the Provider Specific tab and uncheck the "Form Based Negotiation Enabled" box.

Creating a JAAS Login File

The Kerberos related classes included with the JDK require a config file to run properly. Basically this file tells the GSS layer which classes are used to do the actual work and provides configuration information to those classes. Create a krb5login.conf file with the contents below and place the file in your domains home directory, in my case /u01/app/oracle/product/Middleware/user_projects/domains/webcenter

You specify the location of the krb5login.conf file in the java.security.auth.login.config startup argument for WebLogic Server

For the Kerberos protocol to authenticate with Active Directory, so you need to configure the Linux system to act as a Kerberos client for the realm (domain) for this facility to work. Oracle Linux supplies the MIT Kerberos software. If the krb5-workstation package has been installed then the necessary client programs will be in /usr/kerberos/bin/

Creating the Kerberos Ticket for WebLogic

Now obtain a Ticket using the kinit command like so:

kinit -k -t /etc/krb5.keytab HTTP/wlserver.oracle@MATAS.LOCAL

This should exit without any error messages, and this Kerberos ticket will now appear when you execute the klist -5 command, this is the output generated by klist:

Setup Internet Explorer (and others) on the Windows 7 client

Next, switch to the security tab and click Local intranet -> Sites in the Local intranet popup, ensure that the Include all sites that bypass the proxy server and Include all local (intranet) sites not listed in other zones options are checked. Then click the Advanced button and add all relative domain names that will be used for WebLogic Server instances participating in the SSO configuration, in our case http://*.wlserver.oracle

Next, also in the security tab and click Local Intranet -> Custom Level and select Automatic log-on with current user name and password.

Test that the client is actually obtaining a ticket. First clear the ticket cache by running klist purge and then run klist -5 and it should tell you that you have 0 (zero) tickets in the cache, then browse to your security enabled WebLogic application, and run again klist -55 and it should tell you that you have tickets in the cache.

Google ChromeStart chrome.exe with the following parameter --args --auth-server-whitelist="*matas.local" This allows SSO with chrome.

Firefox·In the address bar of Firefox, type about:config to display the list of current configuration options.·In the Filter field, type negotiate to restrict the list of options.·Double-click the network.negotiate-auth.trusted-uris entry to display the Enter string value dialog box.·Enter the name of the domain against which you want to authenticate, for example, .matas.local.·Repeat the above procedure for the network.negotiate-auth.delegation-uris entry, using the same domain.

Enabling DES support for legacy applications

Since DES encryption is disabled by default in Windows 2008 R2 and Windows 7, it can cause compatibility problems with legacy applications with only DES encryption or if the Windows account that runs a service is configured to use only DES encryption. These services or applications will fail unless you reconfigure them to support another encryption type or you enable DES support.

You can enable DES encryption for Kerberos authentication on Windows 7 or Server 2008 R2 by editing the Group Policy Object setting Network security: Configure encryption types allowed for Kerberos located in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options GPO container. The Group Policy Object can be edited with gpedit.msc.

Debugging

Check spelling and case errors, this is a common cause for errors.

In general, Wireshark is your friend, use it to capture network traffic, it will expose all visible protocol errors.